Spyware/BargainBuddy |
||
---|---|---|
#0
| ||
21.04.2005, 14:06
Member
Beiträge: 14 |
||
|
||
23.04.2005, 02:19
Ehrenmitglied
Beiträge: 29434 |
#2
Hallo@Zira
Start<Ausfuehren < schreib rein: cmd DOS oeffnet sich kopiere rein: kopiere rein: sc stop ZESOFT klicke "enter" und warte ein bisschen, dann kopiere rein: sc delete ZESOFT klicke "enter" kopiere rein: del C:\WINDOWS\zeta.exe Klicke "enter" #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {33FB3B50-C042-0C97-8724-645508F37D3C} - (no file) O2 - BHO: (no name) - {93CE175E-A3E2-AE3A-9D28-DEC81B8D2BE4} - C:\WINDOWS\System32\gxqypknr.dll O2 - BHO: (no name) - {B01E8A0F-3BEC-356B-99A8-46819FC45FE1} - C:\WINDOWS\System32\wipz.dll (file missing) O4 - HKCU\..\Run: [Fze] C:\WINDOWS\System32\w?crtupd.exe O15 - Trusted IP range: 206.161.125.149 O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file) O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) PC neustarten •KillBox http://www.bleepingcomputer.com/files/killbox.php •Delete File on Reboot <--anhaken und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\WINDOWS\System32\exdl1.exe C:\WINDOWS\System32\kalvcar32.exe C:\WINDOWS\System32\khooker.exe C:\WINDOWS\System32\trkgif.exe C:\WINDOWS\bargains.exe C:\WINDOWS\cashback.exe C:\WINDOWS\pconugl.exe C:\WINDOWS\zeta.exe C:\WINDOWS\Downloaded Program Files\internazionale_ver10.ocx C:\WINDOWS\Downloaded Program Files\internazionale_ver4.ocx C:\WINDOWS\System32\w?crtupd.exe C:\WINDOWS\System32\wipz.dll C:\WINDOWS\System32\gxqypknr.dll PCneustarten Download the beta* of our new anti-spyware software today http://www.microsoft.com/athome/security/spyware/software/default.mspx wenn du eine gueltige XP-Version hast oder auch nicht (waehle beim Downloaden--> nicht die Version checken) 1. Laden Sie L2mfix von hier : 2. http://www.atribune.org/downloads/l2mfix.exe http://bilder.informationsarchiv.net/Nikitas_Tools/l2mfix.exe 3. Speichern Sie die Datei auf Ihren Desktop und doppel-klicken Sie click l2mfix.exe. 4. Klicken Sie auf Installieren um die Dateien zu extrahieren und folgen Sie den Anweisungen während der Installation. 5. Dann öffnen Sie den auf Ihrem Desktop neuerstellten Ordner l2mfix 6. Doppel-klicken Sie die Datei l2mfix.bat und tippen sie eine 1 und drücken Sie [Enter], um Find log laufen zu lassen. Dies wird Ihren Computer scannen. Es kann sein, das es so aussieht als ob nichts passiert, aber nach 1 oder 2 Minuten wird sich Notepad mit einem Log öffnen. 7. Kopieren Sie den Inhalt durch Strg+A und fügen Sie den Inhalt in Ihren Thread durch Strg+V...oder einfach mit der Maus abkopieren. WICHTIG:Nutzen Sie nicht Option 2, oder jegliche andere Dateien aus dem l2mfix Ordner, bis Sie dazu aufgefordert werden! 8. Schließen Sie alle offenen Programme , da der nächste Schritt einen Neustart erfordert. Klicken Sie erneut auf l2mfix.bat und tippen Sie 2 ein --> [Enter]. 9. Drücken Sie eine beliebige Taste um einen Systemneustart einzuleiten. 10. Nach dem Neustart, werden Ihre Icons auf dem Desktop kurz erscheinen und kurz verschwinden - dies ist NORMAL. 11. L2mfix wird den Systemscan fortsetzen und wenn es fertig ist, wird sich Notepad öffnen und einen Log anzeigen. Kopieren Sie auch diesen hier in den Thread/ins Forum (Strg+C & Strg+V). Posten Sie ausserdem einen aktuellen HijackThis Log. WICHTIG: Nutzen Sie nicht Option 2, oder jegliche andere Dateien aus dem l2mfix Ordner, bis Sie dazu aufgefordert werden! 12. Doppel-klicken Sie erneut auf l2mfix.bat und geben Sie 4 ein. Bestätigen Sie mit [Enter]. 13. Dies stellt die Winlogon Standardeinstellungen wieder her. 14. Posten Sie einen aktuellen HijackThis Log __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
23.04.2005, 13:47
Member
Themenstarter Beiträge: 14 |
#3
Hier das 1. Log von L2Mfix
L2MFIX find log 1.02b These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "DT"="IEAKT-Online International AG" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Eigenschaftenseitenerweiterung des automatischen Updates" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst" "{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{8e9d6600-f84a-11ce-8daa-00aa004a5691}"="Shell extensions for NetWare" "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"="Shell extensions for NetWare" "{52c68510-09a0-11cf-8daa-00aa004a5691}"="Shell extensions for NetWare" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension" "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension" "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 DragDrop Shell Extension" "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension" "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Property Sheet Shell Extension" "{D0FAC080-AE1A-11ce-8016-CE90976DC901}"="iGrafx Image Viewer" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}"="SafeErase" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ gwfspi~1.dll Fri 28 Jan 2005 15:37:58 A.... 23.304 22,76 K legitc~1.dll Fri 28 Jan 2005 15:38:00 A.... 421.128 411,26 K 2 items found: 2 files, 0 directories. Total of file sizes: 444.432 bytes 434,02 K Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 381F-0A07 Verzeichnis von C:\WINDOWS\System32 06.04.2005 14:36 425.984 w?crtupd.exe 03.11.2002 13:52 <DIR> Microsoft 01.01.2002 02:58 <DIR> dllcache 1 Datei(en) 425.984 Bytes 2 Verzeichnis(se), 484.564.992 Bytes frei Der Rest kommt nach dem reboot ... ... hier das 2. Log: L2Mfix 1.02b Running From: C:\DOKUME~1\DANIEL~1\Desktop\l2mfix\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access ERSTELLER-BESITZER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C access for really "Everyone" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- Jeder (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access ERSTELLER-BESITZER Setting up for Reboot Starting Reboot! C:\Dokumente und Einstellungen\Daniel Weber\Desktop\l2mfix\l2mfix System Rebooted! Running From: C:\Dokumente und Einstellungen\Daniel Weber\Desktop\l2mfix\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1448 'explorer.exe' Killing PID 1448 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Desktop.ini sucessfully removed Zipping up files for submission: adding: echo.reg (deflated 14%) adding: clear.reg (deflated 2%) adding: desktop.ini (stored 0%) adding: readme.txt (deflated 49%) adding: direct.txt (deflated 6%) adding: report.txt (deflated 62%) adding: lo2.txt (deflated 71%) adding: test2.txt (stored 0%) adding: test3.txt (stored 0%) adding: test5.txt (stored 0%) adding: test.txt (stored 0%) adding: backregs/shell.reg (deflated 74%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for really "Everyone" Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-IO) ALLOW Read VORDEFINIERT\Hauptbenutzer (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access ERSTELLER-BESITZER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332 The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{}"=- **************************************************************************** Desktop.ini Contents: **************************************************************************** [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} **************************************************************************** Und zu guter Letzt das HiJackThis Log: Logfile of HijackThis v1.99.1 Scan saved at 13:52:15, on 23.04.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\soundman.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe D:\ARBEITEN\0190WA~1\WARN0190.EXE C:\WINDOWS\System32\qttask.exe D:\Arbeiten\Logitech\iTouch\iTouch.exe C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe D:\Arbeiten\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe D:\Arbeiten\Logitech\MouseWare\system\em_exec.exe D:\Arbeiten\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Programme\ICQLite\ICQLite.exe D:\Arbeiten\Winamp\winampa.exe C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe D:\Arbeiten\Antivir\AVGNT.EXE C:\WINDOWS\System32\ctfmon.exe D:\Arbeiten\Creative\MediaSource\RemoteControl\RCMan.EXE C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE D:\Arbeiten\GetRight\getright.exe D:\Arbeiten\GetRight\getright.exe D:\Arbeiten\Antivir\AVWUPSRV.EXE C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\nvsvc32.exe D:\Arbeiten\httpd\ohttpd.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\explorer.exe C:\Programme\Internet Explorer\IEXPLORE.EXE D:\Downloads\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arbeiten\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe O4 - HKLM\..\Run: [0190 Warner] D:\ARBEITEN\0190WA~1\WARN0190.EXE O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKLM\..\Run: [zBrowser Launcher] D:Arbeiten\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [CTSysVol] D:\Arbeiten\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] D:\Arbeiten\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [WinampAgent] D:\Arbeiten\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [AVGCtrl] "D:\Arbeiten\Antivir\AVGNT.EXE" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [RemoteCenter] D:\Arbeiten\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Arbeiten\GetRight\getright.exe O8 - Extra context menu item: Download with GetRight - D:\Arbeiten\GetRight\GRdownload.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\Arbeiten\OfficeXP\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - D:\Arbeiten\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Arbeiten\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Arbeiten\ICQ\ICQ.exe O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/de/win/QuickTimeInstaller.exe O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{64118EC2-5F7C-4B40-BE2B-DAE0C63664E8}: NameServer = 217.237.151.225 217.237.150.225 O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Arbeiten\Antivir\AVGUARD.EXE O23 - Service: Apache - Unknown owner - D:\Arbeiten\Apache\Apache.exe" --ntservice (file missing) O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Arbeiten\Antivir\AVWUPSRV.EXE O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: OmniHTTPd Professional (OmniHTTPd) - Unknown owner - D:\Arbeiten\httpd\ohttpd.exe Schon mal ein Dickes Danke im Voraus echt super was Ihr hier macht !!! Dieser Beitrag wurde am 23.04.2005 um 13:54 Uhr von Zira editiert.
|
|
|
||
23.04.2005, 14:59
Ehrenmitglied
Beiträge: 29434 |
#4
•Online-Scann (Panda)--> wenn der Antivirus "meckert"-->ignorieren
http://www.pandasoftware.com/activescan/com/activescan_principal.htm berichte vom Scann __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
23.04.2005, 18:37
Member
Themenstarter Beiträge: 14 |
#5
Das hier ist das ScanLog:
Incident Status Location Spyware:Spyware/BargainBuddy No disinfected Windows Registry Adware:Adware/Gator No disinfected C:\GatorPatch.log Adware:Adware/MediaTickets No disinfected Windows Registry Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll] Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe] Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf Virus:Bck/IRCFlood.V Disinfected D:\Arbeiten\NoNameScript\script\dlls\stdio.dll Possible Virus. No disinfected E:\Extras\Leserumfrage\BrandAwareness2005.exe 16 Viruse gefunden stand da ... |
|
|
||
24.04.2005, 01:05
Ehrenmitglied
Beiträge: 29434 |
#6
Hallo@Zira
•KillBox http://www.bleepingcomputer.com/files/killbox.php •Delete File on Reboot <--anhaken und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\GatorPatch.log C:\WINDOWS\Downloaded Program Files\ActiveX.inf C:\WINDOWS\system32\javex80.vxd C:\WINDOWS\system32\javex80.vxd C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf D:\Arbeiten\NoNameScript\script\dlls\stdio.dll PC neustarten #Ad-aware SE Personal 1.05 Updated http://fileforum.betanews.com/detail/965718306/1 Laden--> Updaten-->scannen-->PC neustarten--> noch mal scannen--> poste das Log vom Scann start-->alle Programme-->Zubehoer-->Editor und kopiere folgenden Text rein: dir C:\WINDOWS\system32\w?crtupd.exe /a h > files.txt notepad files.txt <Speichern als: Findfile.bat <abspeichern unter : Dateityp: alle Dateien <speichere auf dem Desktop Locate FindFile.bat--> doopelklick auf die bat-Datei , der Editor oeffnet sich-->poste den Text __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.04.2005, 11:45
Member
Themenstarter Beiträge: 14 |
#7
Hier das Log vom Scan:
Ad-Aware SE Build 1.05 Logfile Created on:Sonntag, 24. April 2005 11:30:06 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R40 20.04.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):20 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 24.04.2005 11:30:06 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Dokumente und Einstellungen\Daniel Weber\recent Description : list of recently opened documents MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\windows\currentversion\applets\paint\recent file list Description : list of files recently opened using microsoft paint MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\office\10.0\excel\recent files Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles Description : list of recently used files in adobe reader MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\mediaplayer\preferences Description : last playlist index loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\directinput\mostrecentapplication Description : most recent application to use microsoft directinput MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : S-1-5-21-1085031214-1708537768-2125461235-1003\software\microsoft\windows media\wmsdk\general Description : windows media sdk Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 468 ThreadCreationTime : 24.04.2005 09:27:41 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 524 ThreadCreationTime : 24.04.2005 09:27:43 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 548 ThreadCreationTime : 24.04.2005 09:27:46 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 596 ThreadCreationTime : 24.04.2005 09:27:46 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 608 ThreadCreationTime : 24.04.2005 09:27:46 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 768 ThreadCreationTime : 24.04.2005 09:27:47 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 820 ThreadCreationTime : 24.04.2005 09:27:47 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 944 ThreadCreationTime : 24.04.2005 09:27:48 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 960 ThreadCreationTime : 24.04.2005 09:27:48 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1092 ThreadCreationTime : 24.04.2005 09:27:48 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1444 ThreadCreationTime : 24.04.2005 09:27:57 BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:12 [soundman.exe] FilePath : C:\WINDOWS\ ProcessID : 1704 ThreadCreationTime : 24.04.2005 09:27:59 BasePriority : Normal FileVersion : 5, 0, 0, 0 ProductVersion : 5, 0, 0, 0 ProductName : Avance Sound Manager CompanyName : Avance Logic, Inc. FileDescription : Avance Sound Manager InternalName : ALSMTray LegalCopyright : Copyright (c) 2001 Avance Logic, Inc. OriginalFilename : ALSMTray.exe Comments : Avance AC97 Audio Sound Manager #:13 [hpoopm07.exe] FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\ ProcessID : 1744 ThreadCreationTime : 24.04.2005 09:28:00 BasePriority : Normal #:14 [warn0190.exe] FilePath : D:\ARBEITEN\0190WA~1\ ProcessID : 1752 ThreadCreationTime : 24.04.2005 09:28:00 BasePriority : Normal FileVersion : 3.10.0.112 ProductVersion : 3.10 ProductName : 0190 Warner CompanyName : Mirko Böer FileDescription : 0190 Warner LegalCopyright : Copyright © 2001 - 2002 Mirko Böer Comments : http://www.wt-rate.com/ #:15 [qttask.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1760 ThreadCreationTime : 24.04.2005 09:28:01 BasePriority : Normal #:16 [itouch.exe] FilePath : D:\Arbeiten\Logitech\iTouch\ ProcessID : 1768 ThreadCreationTime : 24.04.2005 09:28:01 BasePriority : Normal FileVersion : 2.15.264 ProductVersion : 2.15.264 ProductName : iTouch CompanyName : Logitech Inc. FileDescription : iTouch Application InternalName : iTouch LegalCopyright : (C) 1998-2002 Logitech. All rights reserved. LegalTrademarks : Logitech® and iTouch® are registered trademarks of Logitech Inc. OriginalFilename : iTouch.exe Comments : Created by the iTouch team #:17 [mm_tray.exe] FilePath : C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\ ProcessID : 1788 ThreadCreationTime : 24.04.2005 09:28:02 BasePriority : Normal FileVersion : 7.10.1070 ProductVersion : 7.10.1070 ProductName : MUSICMATCH JUKEBOX CompanyName : MUSICMATCH, Inc. FileDescription : mm_tray InternalName : mm_tray LegalCopyright : Copyright (c) MUSICMATCH 1998-2001 LegalTrademarks : OriginalFilename : mm_tray.exe #:18 [em_exec.exe] FilePath : D:\Arbeiten\Logitech\MouseWare\system\ ProcessID : 1820 ThreadCreationTime : 24.04.2005 09:28:03 BasePriority : Normal FileVersion : 9.75.302 ProductVersion : 9.75.302 ProductName : MouseWare CompanyName : Logitech Inc. FileDescription : Logitech Events Handler Application InternalName : Em_Exec LegalCopyright : (C) 1987-2002 Logitech. All rights reserved. LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc. OriginalFilename : Em_Exec.exe Comments : Created by the MouseWare team #:19 [ctsysvol.exe] FilePath : D:\Arbeiten\Creative\SBAudigy2ZS\Surround Mixer\ ProcessID : 1828 ThreadCreationTime : 24.04.2005 09:28:03 BasePriority : Normal FileVersion : 1.3.8.0 ProductVersion : 1.0.0.0 ProductName : Creative Volume Control CompanyName : Creative Technology Ltd FileDescription : CTSysVol.exe LegalCopyright : Copyright (c) Creative Technology Ltd., 2002-2003. All rights reserved. OriginalFilename : CTSysVol.exe #:20 [ctdvddet.exe] FilePath : D:\Arbeiten\Creative\SBAudigy2ZS\DVDAudio\ ProcessID : 1836 ThreadCreationTime : 24.04.2005 09:28:05 BasePriority : Normal FileVersion : 1.0.3.0 ProductVersion : 1.0.3.0 ProductName : CTDVDDET CompanyName : Creative Technology Ltd FileDescription : CTDVDDET InternalName : CTDVDDET LegalCopyright : Copyright (c) Creative Technology Ltd., 2002-2003. All rights reserved. OriginalFilename : CTDVDDET.EXE #:21 [cthelper.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1852 ThreadCreationTime : 24.04.2005 09:28:05 BasePriority : Normal FileVersion : 1, 0, 1, 0 ProductVersion : 1, 0, 1, 0 ProductName : CtHelper Application CompanyName : Creative Technology Ltd FileDescription : CtHelper MFC Application InternalName : CtHelper LegalCopyright : Copyright (C) 2002-03 OriginalFilename : CtHelper.EXE #:22 [icqlite.exe] FilePath : C:\Programme\ICQLite\ ProcessID : 1884 ThreadCreationTime : 24.04.2005 09:28:06 BasePriority : Normal FileVersion : 555 ProductVersion : 1, 0, 0 ProductName : ICQLite CompanyName : ICQ Ltd. FileDescription : ICQLite InternalName : ICQ Lite LegalCopyright : Copyright (C) 2002 OriginalFilename : ICQLite.exe #:23 [winampa.exe] FilePath : D:\Arbeiten\Winamp\ ProcessID : 1892 ThreadCreationTime : 24.04.2005 09:28:07 BasePriority : Normal #:24 [jusched.exe] FilePath : C:\Programme\Java\j2re1.4.2_06\bin\ ProcessID : 1900 ThreadCreationTime : 24.04.2005 09:28:08 BasePriority : Normal #:25 [avgnt.exe] FilePath : D:\Arbeiten\Antivir\ ProcessID : 1908 ThreadCreationTime : 24.04.2005 09:28:09 BasePriority : Normal #:26 [ctfmon.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1924 ThreadCreationTime : 24.04.2005 09:28:09 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : CTF Loader InternalName : CTFMON LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : CTFMON.EXE #:27 [rcman.exe] FilePath : D:\Arbeiten\Creative\MediaSource\RemoteControl\ ProcessID : 1936 ThreadCreationTime : 24.04.2005 09:28:10 BasePriority : Normal FileVersion : 2.0.0.3 ProductVersion : 2.0.0.0 ProductName : Creative MediaSource 2 Remote Control System CompanyName : Creative Technology Ltd FileDescription : Remote Control Manager InternalName : RcMan LegalCopyright : Copyright (c) Creative Technology Ltd.,2003. All rights reserved. OriginalFilename : RcMan.EXE #:28 [wcescomm.exe] FilePath : C:\Programme\Microsoft ActiveSync\ ProcessID : 1944 ThreadCreationTime : 24.04.2005 09:28:11 BasePriority : Normal FileVersion : 3.7.1.4034 ProductVersion : 3.7.4034 ProductName : Microsoft ActiveSync CompanyName : Microsoft Corporation FileDescription : ActiveSync Connection Manager InternalName : wcescomm LegalCopyright : Copyright © 1995-2003 Microsoft Corp. Alle Rechte vorbehalten. LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. OriginalFilename : WCESCOMM.EXE #:29 [getright.exe] FilePath : D:\Arbeiten\GetRight\ ProcessID : 1960 ThreadCreationTime : 24.04.2005 09:28:13 BasePriority : Normal FileVersion : 5.1 beta 2 ProductVersion : 5.1 beta 2 ProductName : GetRight CompanyName : Headlight Software, Inc. FileDescription : GetRight® www.getright.com InternalName : GETRIGHT LegalCopyright : Copyright © 2004 Headlight Software, Inc. LegalTrademarks : "GetRight" and the GetRight "arrows around a globe" logo are registered trademarks of Headlight Software OriginalFilename : GETRIGHT.EXE Comments : GetRight® was designed and developed by Michael J Burford. #:30 [getright.exe] FilePath : D:\Arbeiten\GetRight\ ProcessID : 1976 ThreadCreationTime : 24.04.2005 09:28:16 BasePriority : Normal FileVersion : 5.1 beta 2 ProductVersion : 5.1 beta 2 ProductName : GetRight CompanyName : Headlight Software, Inc. FileDescription : GetRight® www.getright.com InternalName : GETRIGHT LegalCopyright : Copyright © 2004 Headlight Software, Inc. LegalTrademarks : "GetRight" and the GetRight "arrows around a globe" logo are registered trademarks of Headlight Software OriginalFilename : GETRIGHT.EXE Comments : GetRight® was designed and developed by Michael J Burford. #:31 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 392 ThreadCreationTime : 24.04.2005 09:29:00 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:32 [avwupsrv.exe] FilePath : D:\Arbeiten\Antivir\ ProcessID : 420 ThreadCreationTime : 24.04.2005 09:29:00 BasePriority : Normal #:33 [cdantsrv.exe] FilePath : C:\WINDOWS\System32\DRIVERS\ ProcessID : 440 ThreadCreationTime : 24.04.2005 09:29:00 BasePriority : Normal FileVersion : 3.25.010 ProductVersion : 3.25.010 Windows NT 2002/01/07 ProductName : CD-Secure/CD-Compress Windows NT CompanyName : C-Dilla Ltd FileDescription : C-Dilla RTS Service InternalName : CDANTSRV LegalCopyright : Copyright (c) Macrovision 1993-2002 OriginalFilename : CDANTSRV.EXE Comments : StringFileInfo: U.S. English #:34 [ctsvccda.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 460 ThreadCreationTime : 24.04.2005 09:29:01 BasePriority : Normal FileVersion : 1.0.1.0 ProductVersion : 1.0.0.0 ProductName : Creative Service for CDROM Access CompanyName : Creative Technology Ltd FileDescription : Creative Service for CDROM Access InternalName : CTsvcCDAEXE LegalCopyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved. OriginalFilename : CTsvcCDA.EXE #:35 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 508 ThreadCreationTime : 24.04.2005 09:29:01 BasePriority : Normal FileVersion : 6.14.10.5303 ProductVersion : 6.14.10.5303 ProductName : NVIDIA Driver Helper Service, Version 53.03 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 53.03 InternalName : NVSVC LegalCopyright : (C) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:36 [ohttpd.exe] FilePath : D:\Arbeiten\httpd\ ProcessID : 112 ThreadCreationTime : 24.04.2005 09:29:01 BasePriority : Normal #:37 [mspmspsv.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1120 ThreadCreationTime : 24.04.2005 09:29:11 BasePriority : Normal FileVersion : 7.00.00.1954 ProductVersion : 7.00.00.1954 ProductName : Microsoft (R) DRM CompanyName : Microsoft Corporation FileDescription : WMDM PMSP Service InternalName : MSPMSPSV.EXE LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000 OriginalFilename : MSPMSPSV.EXE #:38 [ad-aware.exe] FilePath : D:\Arbeiten\Ad-Aware SE Personal\ ProcessID : 1688 ThreadCreationTime : 24.04.2005 09:29:54 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Deep scanning and examining files (D »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 0 entries scanned. New critical objects:0 Objects found so far: 20 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 11:40:03 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:09:56.548 Objects scanned:196885 Objects identified:0 Objects ignored:0 New critical objects:0 Und das hier steht im Editor: Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 381F-0A07 Verzeichnis von C:\WINDOWS\system32 06.04.2005 14:36 425.984 w?crtupd.exe 1 Datei(en) 425.984 Bytes Verzeichnis von C:\Dokumente und Einstellungen\Daniel Weber\Desktop |
|
|
||
24.04.2005, 12:02
Ehrenmitglied
Beiträge: 29434 |
#8
Verzeichnis von C:\WINDOWS\system32
06.04.2005 14:36 425.984 w?crtupd.exe 1 Datei(en) 425.984 Bytes was hast du an diesem Tag installiert ? __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.04.2005, 12:15
Member
Themenstarter Beiträge: 14 |
#9
Hmm ... *grübel*
Da fragste mich was ... das weiß ich nicht mehr. Zu dem Zeitpunkt war Dark Age of Camelot: Catacombs Release (Online Rollenspiel) aber ich kann es dir nicht exact sagen. |
|
|
||
24.04.2005, 12:31
Ehrenmitglied
Beiträge: 29434 |
#10
loesche diese
C:\WINDOWS\system32\w?crtupd.exe lasse sie aber noch im papierkorb __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.04.2005, 18:29
Member
Themenstarter Beiträge: 14 |
#11
Beim besten Willen entweder bin ich zu doof die zu finden oder die Datei ist weg ...
*Update* - AntiVir macht auch keine Mucken mehr ... Datei scheint weg zu sein ... Dieser Beitrag wurde am 24.04.2005 um 18:34 Uhr von Zira editiert.
|
|
|
||
24.04.2005, 18:34
Ehrenmitglied
Beiträge: 29434 |
#12
•KillBox
http://www.bleepingcomputer.com/files/killbox.php •Delete File on Reboot <--anhaken C:\WINDOWS\system32\w?crtupd.exe und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf yes __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
24.04.2005, 18:35
Member
Themenstarter Beiträge: 14 |
#13
This file does not seem to exist
*Update* - AntiVir Guard geht nun auch - dickes Danke!!! Was hatte ich mir da eigentlich genau eingefangen?! War ja einiges oder?! Dieser Beitrag wurde am 25.04.2005 um 10:32 Uhr von Zira editiert.
|
|
|
||
Nun gibt es mehrere Probleme die mich belasten. Zum einen geht AntiVir nicht richtig, d.h. der AntiVir Guard steht immer auf 'deaktiviert' und lässt sich auch nicht aktivieren. Zum Anderen bekomme ich beim Starten des Hauptprogramms unter 'Systemtest' die Fehlermeldung: Die geloggte Datei C:\Windows\system32\w?crtupd.exe konnte nicht ins temporäre Verzeichnis kopiert werden. Was hat das zu sagen? Jegliche Updates helfen leider nicht. Hat das vll etwas mit dem Guard zu tun?
Nun aber mein Hauptproblem: Die Trojaner. Ich kopiere am besten mal mein HiJackThis Logfile in den Thread und hoffe auf Hilfe. AntiVir findet 7 verschied. Trojaner und hoffe die sind vernichtbar, da ich keine Lust mehr auf die PopUps und 0190 Fenster habe!
Logfile of HijackThis v1.99.1
Scan saved at 14:04:35, on 21.04.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
D:\ARBEITEN\0190WA~1\WARN0190.EXE
C:\WINDOWS\System32\qttask.exe
D:\Arbeiten\Logitech\iTouch\iTouch.exe
C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\Arbeiten\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Arbeiten\Logitech\MouseWare\system\em_exec.exe
D:\Arbeiten\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
D:\Arbeiten\Winamp\winampa.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
D:\Arbeiten\Antivir\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Arbeiten\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\w?crtupd.exe
D:\Arbeiten\GetRight\getright.exe
D:\Arbeiten\GetRight\getright.exe
D:\Arbeiten\Antivir\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Arbeiten\httpd\ohttpd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Arbeiten\OfficeXP\Office10\OUTLOOK.EXE
D:\Arbeiten\OfficeXP\Office10\WINWORD.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\Arbeiten\Antivir\AVWIN.EXE
D:\Downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arbeiten\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33FB3B50-C042-0C97-8724-645508F37D3C} - (no file)
O2 - BHO: (no name) - {93CE175E-A3E2-AE3A-9D28-DEC81B8D2BE4} - C:\WINDOWS\System32\gxqypknr.dll
O2 - BHO: (no name) - {B01E8A0F-3BEC-356B-99A8-46819FC45FE1} - C:\WINDOWS\System32\wipz.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [0190 Warner] D:\ARBEITEN\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:Arbeiten\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Arbeiten\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Arbeiten\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [WinampAgent] D:\Arbeiten\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "D:\Arbeiten\Antivir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Arbeiten\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Fze] C:\WINDOWS\System32\w?crtupd.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Arbeiten\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - D:\Arbeiten\GetRight\GRdownload.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\Arbeiten\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Arbeiten\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Arbeiten\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Arbeiten\ICQ\ICQ.exe
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/de/win/QuickTimeInstaller.exe
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64118EC2-5F7C-4B40-BE2B-DAE0C63664E8}: NameServer = 217.237.151.225 217.237.150.225
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Arbeiten\Antivir\AVGUARD.EXE
O23 - Service: Apache - Unknown owner - D:\Arbeiten\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Arbeiten\Antivir\AVWUPSRV.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OmniHTTPd Professional (OmniHTTPd) - Unknown owner - D:\Arbeiten\httpd\ohttpd.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)